Business of Law
Vendors boast of virus shields, but security experts scoff
Posted Sep 1, 2010 1:00 AM CST
By Joe Dysart
While you'd be hard-pressed to find a security consultant who believes any law firm can be completely protected from the Web's dark side, there are still plenty of vendors furiously pursuing the ideal. Two in particular, InZero and Invincea, claim to have come up with the magic bullet with technologies that essentially place an impenetrable buffer between a law firm's Web browsers and its critical digital infrastructure.
InZero has been especially bold in its assertions, once offering a free Harley-Davidson motorcycle to any hacker who could penetrate its first-generation product. There were no takers. A number of tests since then by British Telecom's Ipswich labs, Escrypt Inc., the federal Defense Advanced Research Projects Agency and others have come up empty-handed as well, according to Oleksiy Shevchenko, InZero's chief technology officer.
"During two months, we registered more than 100,000 attacks, and no one was successful," Shevchenko says of the Harley challenge.
Still, though competitor Invincea trots out the same, successful test results of impenetrability by the independent testing firm Cigital, law firm IT security consultants like Wise Comprehensive Solutions remain skeptical.
"Experientially and logically, there is always a back door or fail-safe to every system," says Orville Wilson, CEO at Wheaton, Md.-based Wise. However, Wise has not attempted to break into the two products.
The most nettlesome rub in all this? As the debate rages, the legal community has become an especially lucrative target for professional-grade hackers snooping the Web for high-value intellectual property and other business-critical information.
"Firms representing client corporations that are negotiating major international deals are particularly inviting targets," Wilson says. "Law firms have a tremendous concentration of really critical, private information. Hence, sneaking into their computer systems is a really optimal way to obtain economic, personnel and personal security-related information."
Alan Brill, a Secaucus, N.J.-based senior managing director at Kroll, another IT security consultancy, shares Wilson's view.
"The problem that law firms face is that there is an evolution leading to greater reliance on Internet-based communication with clients, co-counsel and the courts," Brill says. "I wish I could tell you that there was a matching evolution in security that would render today's problems obsolete, but that's not happening."
Compounding the vulnerability is a new breed of white-collar hacker rings, Brill says, which are more than happy to spend months attacking a law firm's IT system, slowly strangling its security like a cancer.
"They can be very hard to detect," Brill says. "They are using tools that enable them to customize very stealthy malware for particular targets." Often times these tools have yet to make the radar of the most popular anti-virus, anti-malware software programs, he adds, making those programs useless against the new variants.
"Given this sophistication, I believe that firms have to recognize that the traditional anti-malware barriers have to be seen as only partial solutions," Brill says. "They are important, but they are not enough."
Specifically, Brill recommends firms consider a data loss prevention system, which continuously monitors a network for anything that is leaving the system. If the data does not fit predetermined rules for what is supposed to be leaving the network, it's stopped in its tracks.
"What we've learned is that there are a lot of potential defenses," Brill says. "You have to essentially do a risk analysis and determine how best to spend your available security dollars."
InZero's Shevchenko counters that his firm's InZero Security Platform is the complete solution. The heart of the product is a paperback-size computer placed between a user's PC and Internet connection, creating a buffer between the user and would-be hackers.
Essentially, InZero's computer—built from the ground up to be ultra secure—does all the interfacing and application work with the outside world over the Internet while the user simply views those interactions from a connected PC. Combined with additional network security management tools and services, InZero has yet to be defeated, Shevchenko insists.
Invincea also claims to throw up a mighty buffer against intruders, but it instead uses a software solution that creates a sophisticated virtual browser on a PC that users leverage to surf the Web. At the first whiff of any virus or malware, the Invincea browser shuts down, neutralizes the offending program, and then automatically reconstitutes itself to its original, pristine state.
One of the key advancements in the solution is Invincea's ability to catch malware red-handed by watching for telltale signs and behaviors, according to Invincea founder and chief scientist Anup Ghosh. This approach is generations ahead of conventional anti-virus/anti-malware software, he says, which only recognize specific programs that are already known and have been cataloged as tools of criminals and miscreants.
Ilya Nazarov, InZero's vice president of marketing and sales, says the prices for individuals to purchase the InZero Gateway are $299 and $399. For larger enterprises, prices are set through an analysis of the customer firm and what services are needed and desired. Invincea does not publish prices, but press reports quote Ghosh as saying his firm has about $1 million in revenue from sales.
Like Wise's Wilson and Kroll's Brill, Vincent Polley is skeptical. Polley, who chairs the ABA's Standing Committee on Technology and Information Systems and practices in Bloomfield Hills, Mich., says, "There is no panacea."
But Shevchenko not only is undeterred but also has renewed his worldwide challenge to any and all hackers to try to penetrate his company's security platform with a brazen invitation on InZero's website. He taunts all comers: Capture InZero's virtual flag, a lone file on an in-company PC. The site claims more than 12 million have tried; none succeeded.